If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

WiFi vuln.

Something Interesting i happened upon, figured i'd post about it.

Disable WPS if you can, guys.

Strictly speaking, the vulnerability lies within the "WPS – PIN" part of the WPS specification.. but since this is the section of WPS that allows connections WITHOUT physical intervention at the access point itself (in the form of pressing a button) - it's more than just theoretical.

"When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total,"

Yesterday, Stefan over at .braindump released a white paper detailing vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hours.

This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).
While we have released Reaver as an open source project, we also offer a commercial version with additional features and functionality as well as a support plan. Since nearly all access points manufactured in the past few years have WPS support enabled by default, attacking WPS provides several advantages over attacking WPA directly:

Cracking the WPS pin is, obviously, much faster.

Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase.

Access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.

Of course the disadvantage is that WPS can be disabled. However, in our experience even security experts with otherwise secure configurations neglect to disable WPS; further, some access points don't provide an option to disable WPS, or don't actually disable WPS when the owner tells it to.
To learn more about Reaver, visit our product page, or the open source project on Googlecode.